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1.0  INTRODUCTION 

The  increase  of  aircraft  transportation,  during  the  last  ten  years 
has  been  nothing  less  than  phenomenal.  To  accommodate  this 
increase  greater  demands  must  be  imposed  upon  aircraft  and 
their  associated  ground  support  equipments.  Higher  equipment 
reliabilities  and  extremely  low  probabilities  of  mission 'failure 
are  natural  requirements  which  must  be  fulfilled  in  this  area  with 
the  aid  of  modern  technologies. 

An  instrument  landing  system  (ILS)  is  one  such  ground  support 
equipment  which  embodies  these  requirements.  “The  ILS,  pro¬ 
viding  guidance  to  approaching  or  landing  aircraft  under  adverse 
weather  conditions,  must  employ  "optimum"  design  and  reliability 
to  ensure'  personnel  safety.  This  is  especially  true  in  the  Category 
dll  ILS  which  provides  guidance  information  from  the  coverage 
limit  of  the  facility  at  which  it  is  installed  to,,  and  along  tl.e  sur¬ 
face  of  the  runway.  To  ensure  that  the  "optimum"  in  equipment 
performance, is  achieved,  a  qualitative  system  analysis  which 
stratifies  all.  possible  modes  of  failure,  their  criticality  arid  effect 
on  mission  success  must  be  accomplished.,  Such  an  analysis, 
called  a  Failure  Modes.,.  Effects  urid:  Criticality  Analysis  (FMEGA), 
has  been  performed  by  Texas  Instruments  Incorporated  on  its 

Category  III1  ILS  (FA A  iilark  in  ILS)  and  is  the  subject  of  this 
report. 

1.  1  Safety  Requirement 

It  is  impossible  to  achieve  the  implementation  of  a  system  with 
infinite  reliability  and  safety;  therefore,  it  becomes  necessary 
that  some  safety /reliability  goal  be  established  to  enable  the  re¬ 
lative  safety  of  the  ILS  to  be  determined.  For  Category  III  oper¬ 
ations,  there  is  a  brief  time  period  during  which  the  safety  of 
the  aircraft  becomes  ccmpleteiydependent  upon  the  integrity  of 
the  electronic  system.  Failure  of  certain  critical  ground  based 
components  during  this/time  period  could  possibly  result  in  a 
catastrophic  event.  In  an  attempt  tc  quantify  the  safety  of  the 
equipment,  the  figure  specified  is  a  probability  of  1  failure  in 
ten  million  landings.  This  figure  was  derived' by  the  British  Air 
Registration  Board  from  human  mortality  data  and  safety  records 
of  aircraft.  This  requirement  indicates  that  the  landing  operation 
under  Category  III  conditions  would  be  safer  than  a  person  can 
predictably  expect  to  be  in  his  normal  day-to-day  activities.  The 
value,  if  anything,  is  on  the  stringent  side,  in  that  it  is  not  possible 
to  categorically  state  that  a  given  failure  will  be  catastrophic,  but 
only  that  it  will  produce  a  potentially  hazardous  situation  that 
may  be  catastrophic  if  the  proper  corrective  action  on  the  part 
of  the  aircraft  crew  is  not  taken. 


The  relationship  of  m^n-time-between.-failures  (MTBF.)  to  the 
overall  system  reliability  requirement  is  as  follows: 

The  predicted  localizer  hardware  MTBF  is  approximately  1200 
hours  and  that  of  the  glide  slope  is  1800  hours.  Any  given 
failure  in  the  equipment  will  contribute  to  a  lower  MTBF  but 
will  not  necessarily  interrupt  the  operation  or  even  degrade  .the 
operational  category  status  (Category  III  or  II).  This  is  pos¬ 
sible  through  appropriate  equipment  redundancy  so  that  when 
individual  component  failures  occur,  continued  operation  may 
siijl  be  possible.  Consequently,  it  is  possible  for  the  proba¬ 
bility  of  operational  failure  to  be  far  less  than  a  component 
failure.  Giver.*  that  the  ground  system  is  fully  operational  at 
the  inception- af  a  Category  III  ILS  approach,  the  probability  of 
malfunction  of  the  radiated  signal  (both  localizer  or  glide 
slope)  during  the  critical  part  of  the  approach,  (defined  as  ten 
seconds  for  the  localizer  and  five  seconds  for  the  glide  slope) 
should  be  less  than  one  in  ten  million  which  corresponds  to  an 
equivalent  MTBF  of  operation  in  the  order  of  27,000  hours. 
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2.6  PURPOSE 

The  primary  purpose  of  performing  amFMECA  upon  the  Category 
III  ILS  is  to  insure  that  the  equipment  design  is  such  that  the 
probability  of  a  potentially  hazardous  failure  (loss  of  signal  or 
radiation  of  an  erroneous  signal)  during,  the  critical  phase  of. 
Categc  -y  III  landing  is.  less  than  1  x  In. addition,  a  number 

of  secondary  objectives  exist:  (1)  to^reveal  hazardous  failure 
modes  jeopardizing  personnel  safety  and/or  system  performance 
'status;  (2)  to  enumerate  all  relevant  functional  failure  modes 
along  with  their  effect  and1  failure  rate;  (3)  to  serve  as  a  docu¬ 
mented  aid  in  the  t  rouble  she  oti'ng  process  of  field  failures  in  the 
future;  (4)  to  serve  as  an  objective  evaluation  of  both  the  equip¬ 
ment  specification  and  its  design;  and' (5)  to  determine  ;the  fre¬ 
quency  of  preventive  maintenance  in  checking  for  hidden  failures. 
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3.  0  SYSTEM  DESCRIPTION 


A-'Gat.egory  III  ILS  provides  aircraft  with  ^guidance  information 
from  the  coverage  limit  of  the  facility  to,  and  along,  the  surface 
of  the  runway.  The  system  under  analysis  has*  operational  per¬ 
formance  of  Category  III,  that  is,  operation  with  no,  decision 
height  limitation.  Initially  the  system  will  be  used  in  Category 
IHA  operations  in  which  the  pilot  will  make  use  of  external  visual 
references  during  the  final  phase  of  landing,  and  with  a  runway 
-visual  range  (RVR)  of -not  less  than  700  feet.  The  ILS  must  he 
suitable  for  -eventual  use  by  automatic  control  system  for  roll¬ 
out*  which  will  be  used  in  Category  I  JIB  operations  with  runway 
visual- ranges  down  to  150  feet. 

The  ILS  system  basically,  consists  of  two  separate  stations  -  the 
localizer  arid  the  glideslope*  depicted  in  simplified  block  diagram 
form  by  figures  3-1  and  3-2  respectively.  In  addition  to  these 
stations.  a  central  point  for  station  control  and  the  display  of 
station  status  exists  at  the  control  tower.  Up  to  three  marker 
beacons  are  also  utilized  in  a  typical  ILS  installation.  However, 
,r:ii  description  of  the  marker  beacons  will  Be  provided  since  they 
%ill  not  be  considered  in  this  analysis. 


3.  3.  General  .Descriptions 

The  localizer  provides  guidance  in  the  horizontal  plane  to  aircraft 
engaging  in  approaches  tOj  and  landing  at,  airfields.  The  localizer 
antenna  group  radiates  two  VHF  carriers,  each  amplitude  modu¬ 
lated  by  90  and  150  Hz  and  both  carrier  frequencies  within  a 
particular  VHF  channel.  The  radiation  field  pattern  produces  a 
course  sector  with  one  tone  predominating  on  one  side  of  the 
course  line  {runway  center  line)  and  with  the  other  tone  predom¬ 
inating  on  the  opposite  side.  Along  the  course  line,  the  90Hz  and 
150Hz  modulations  have  the  same  levels.  Being  a  two-frequency, 
capture  effect  system,  one  of  the  carriers  (course)  provides  a 
radiation  field  pattern  coverage  in  the  front  course  sector;  the 
other  carrier  (clearance)  provides  a  radiation  field  pattern 
coverage  outside  that  sector  to  ±60  degrees  from  the  course  line. 

The  glideslope  station  provides  guidance  in  the  vertical  plane. 

It  produces  a  UHF  composite  field  radiation  pattern  which  is 
amplitude  modulated  by  90  and  150  Hz.  The  pattern  provides  a 
straight  line  descent  path  in  the  vertical  plane  containing  the 
runway  center  line,  with  the  150  Hz  tone  predominating  below 
the  path  angle  and  the  90  Hz  tone  predominating  above  the  path 
angle.  In  addition  to  this  course  coverage,  a  clearance  UHF 
carrier  is  modulated  by  150  Hz  to  provide  low  angle  coverage. 

Both  carriers  (course  and  clearance)  are  within  a  particular 
glideslope  UHF  channel. 


3.2  Localizer 

Referring  to  figure  3-1,  there  are  two  transmitter  sections 
incorporated  into  the  localizer  station.  One  transmitter  is 
designated  as  the  main  transmitter  and  the  other,,  the  standby 
transmitter.  Automatic  changeover  capabilities  are  provided. 

Whilt  the  main  transmitter  radiates  into  the  antenna  system,  the 
standby  transmitter  will  be  operating  into  dummy  loads.  Whenever 
the  main 'transmitter  shut's  down  due  to  some  equipment  failure, 
the  standby- transmitter  is  transferred  immediately  to  the  antenna 
system. 

A  briof  explanation  of  each  transmitting  unit  is  in  order.  The 
course  transmitter  delivers  a  VHF  carrier  (.1  08- 1 12MHz)  fre¬ 
quency  to  the  solid  state  modulator  where  it  is  modulated  by  90 
and  150  Hz  tones.  Two  signals  (figure  3-2)  are  generated  by 
the  modulator:  carrier  plus  sidebands  (C+SB)  and  sidebands 
only  (SBO).  The  modulator  also  deliver  3  t  the  clearance  trans¬ 
mitter  a  composite  of  low  frequency  90  and  150  Hz  tones  to 
modulate  the  clearance  carrier,  generating  the  clearance  C+SB. 

In  addition,  low  frequency  90  and  150  Hz  tones  and  clearance 
carrier  are  supplied  to  the  sideband  generator  where  the  clear¬ 
ance  SBO  is  generated.  The  identification  unit,  which  provides 
the  pilot  identification  of  the  runway  and  the  appro'  ch  direction, 
generates  a  1020  Hz  identification  signal- which  md,  :ulates  both 
the  course  and<  clearance  carriers. 

The  output  signals  from  the  main  and  standby  transmitting  units 
are  routed  to  the  changeover  and  test  unit  where  transmitter 
transfer  capabilities  aie  accomplished.  Signals  received  from 
the  control  unit  determine  which  transmitter  operates  into  the 
antennas  -  main  or  standby.  When  the  main  transmitter  is  cor.-r 
nected  to  the  antenna  system,  the  standby  transmitter  operates 
into  dummy  loads.  When  the  standby  unit  is  connected  to  the 
antenna  system,  the  main  unit  is  turned  off.  Within  the  change¬ 
over  and  test  unit  there  exists  circuitry  for  use  in  monitoring 
standby  transmitter  parameters. 

From  the  changeover  and  test  unit,  the  course  and  clearance 
transmitter  signals  (C+SB  and  SBO)  are  fed  to  the  course  and 
clearance  distribution  circuits  respectively.  Each  of  the  distri¬ 
bution  circuits  merely  distributes  the  C+SB  and  SBO  signals  to  the 
localizer  antennas.  Phasing  relationships  and  signal  combinations 
are  accomplished  within  the  distribution  circuits  so  that  the  proper 
field  radiation  pattern  is  established  via  the  antennas.  The  antenna 
assembly  consists  of  a  parabolic  reflector  with  directional  ex¬ 
citers  and  a  clearance  array.  The  parabolic  reflector  with 
directional  exciters  (three  directional  antennas)  is  used  in  es- 
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Figure  3-2.  Category  III  Two- Frequency  Glide  Slope  Block  Diagram 


tnblishing  the  course  field  radiation  pattern;  however,  to  establish 
the  clearance  field  radiation  pattern  both  the  clearance  array 
(consisting  of  4  antenna  elements)  and  the  course  antenna  system 
are  required. 

To  provide  integral  monitoring  ability  of  the  radiated  signal 
parameters,  proximity  detectors  are  utilized.  Each  transmitting 
source  i.s  sampled  by  a  proximity  probe.  The  captured  signals 
are  then  combined  (ir\  the  distribution  circuit  cabinets)  to -provide 
the  proper  signals  with  which  system  parameters  are  monitored. 
The  system  parameters  which  are  monitored  are;  course  position, 
displacement  sensitivity,  carrier  power  level,  percentage  modu¬ 
lation,  identification  signal,  and  clearance  monitoring.. 

Triplicate  monitoring  of  each  of  these  .parameters  is  incorporated 
as  shown  in  figure  3-1.  When  thetolerance  limit  of  any  para¬ 
meter  is  exceeded,  an- alarm  signal  from  each  of  the  respective 
monitor  channels  is  fed  to  the  control  unit,  from  which  a  transfer 
to  the  standby  transmitting  unit  is  initiated.  The  control  unit  acts 
upon  a  2  of  3  vote  to  initiate  the  transfer. 

s 

In  addition  to  the  integral  monitoring  of;  system- parameters,,  near 
field  and  far  field  course  position  monitoring  is  also  incorporated. 
The  near  field  monitoring  utilizes  a  singile  yagi  antenna  %to  provide 
dual  monitoring  ability.  The  far  field  monitoring,  utilize j  three; 
Yagi  antennas  feeding  triplicate  VHF  receivers  and  triplicate 
monitor  channels  with  a  2  of  3- vote.  Both  near  field  and  far 
field  alarm  signals  are  delayed  to  prevent  disturbances  created 
by  aircraft  overflights  and  landings  from  causing  equipment 
alarm  and  shutdown. 

The  same  system  parameters  are  monitored  for  the  standby 
transmitting  unit  as  for  the  main  transmitting  unit..  However, 
only  single  monitoring  -is  incorporated.  Upon  an  alarm  from 
any  standby  monitor,  the  standby  transmitting  unit  will  be  shut 
down  after  a  nominal  5  second 'time  delay. 

The  far  field  monitor  has  its  own  alarm  processing  circuitry  to 
minimize  the -quantity  of  tel  ephone  lines  needed  for  remote 
transmission.  Each  far  field  monitor  channel  provides  two  alarm 
outputs  -  a  Category  III  alarm  and  a  Category  II  alarm.  The 
difference  between  these  two  alarm  outputs  is  merely  in  tolerance 
limits,  A  two  of  three  vote  is  utilized  for  both  the  Category  II 
and  Category  III  alarms.  Time  delays  are  associated  with  the 
final  alarm  outputs  for  both  categories;  however,  the  Category 
III  alarm  time  delay  is  accomplished  at  the  remote  control  unit 
in  the  control  tower  (the  Category  III  alarm  signal  is  conveyed 
directly  to  the  tower  where  performance  downgrade  is  accom¬ 
plished).  Besides  a  general  power/temperature  alarm  and  a 
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far  ffeW' monitor 'bypass  signal,  throe  signals  are  sent. to  the 
localizer  control  unit  -  a  monitor  mismatch,  a  shutdown  alert,, 
and  a  shutdown.  __A  monitor  mismatch  signal- indicates  that  one 
of  the  >hree  Category  II  monitor  channel  alarms  has  existed 
over  a  definite  time  period;  (nominal  120  seconds).  A  shutdown 
•signal  indicates  that  2  of  3  Category  II  monitor  channel  alarms 
hav-3  existed  over  a  set  time  period  (nominal  70  seconds). 

When  received  at  the  localizer  control  unit,  this  shutdown  sig¬ 
nal  will  immediately  shut  down  the  entire  localizer  Station. 

The  shutdown  alert  signal  precedes  the  shutdown  signal  by  a 
nominal  5  seconds.  The  shutdown  alert  signal  initiates  a  shut¬ 
down  warning  signal  (within  the  control  unit)  which  is  transmit¬ 
ted  to  the  pilot  to  give  him  an  advance  warning  of  the  forthcom¬ 
ing  shutdown. 

The  localizer  control  unit  processes  alarm  signals  received  from 
the  monitor  channels.  If  only  one  alarm  is- received  from  any 
monitor  channel  set,  a  MONITOR  MISMA-T-GH  -lamp  iocated  on  the 
control  unit  front  panel  will  illuminate.  All  integral  monitor 
alarms  require  a  two  of  three  voting  to  initiate  a  transfer  com¬ 
mands  An  actual  transfer  will.be  accomplished  only  if  the  stand- 
by  transmittir.g  unit  is  available  while  the  main  is  operative.  If 
either  the  standby  transmitter  is  operative  (on  the  air)  or  if  it  is 
shut  down,  a  transfer  command  leads,  to  a  localizer  shutdown-. 

If -both  near  field  monitors  alarm,  a  direct  localizer -shutdown 
will  result  after  the  nominal  5  second  time  delay.  A  shutdown 
alert  i&  also  initiated  prior  to  the  shutdown  command  of  the  near 
field  alarms. 

In  addition  to  the  alarm  processing  already  described,  the  control 
unit: 

1.  Provides  signals  to  the  remote  control  unit  showing  the 
status  of  the  main  and  standby  transmitting  equipment., 

2.  Provides  signals  to  the  remote  control,  unit  downgrad¬ 
ing  the  facility  performance  Category  III  status  to  Cat¬ 
egory  II  if  the  standby  equipment  is  either  not  available 
or  is  on  the  air. 

3.  Processes  transmitter  "cycle"  commands  received  from 
the  remote  control  unit. 

4.  Visually  displays  all  alarm  conditions  and  transmitter 
status, 

5.  Provides  for  the  selection  of  the  main  transmitting  unit. 

6.  Provides  for  the  bypassing  of  all  monitor  channels. 

7.  Provides  for  the  memorization  or  non-memorization  of 
monitor  alarms. 
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8.  Provides  for  the  selection  of  command  cpntrolfrom  either 
the  remote  control  unit  or  the  localizer  control;  unit, 

9.  inhibits  restoration  of  radiation  for  at  least  20  seconds 
after  localizer  radiation  has  been  shut  down. 

10.  Provides  for  testing  the  integrity  of  both  abnormal 
indication  and  monitor  alarm  lamps- with  a  bulb  test 
switch. 

11.  Provides  signals  to  the  remote  control  unit  showing  either 
(1)  monitor  alarm  abnormals  or  (2)  power /environmental 
abnormals.  (Note:  power/environmental  abnormals  down¬ 
grade  system  performance  status  from  Category  III  to 
Category  II  after  a  preset  time  delay. ) 

With  regards  to  system  power  supplies,  redundancy  is  highly 
incorporated.  The  two  main  battery  chargers  are  connected  in. 
parallel,  each  possessing  the  capability  of  independently. supplying, 
the  load-current  and  voltage.,  Each  battery  charger  has  its  own 
respective  battery  which,  it  keep:)  fully  charged.  Two  DC /DC 
converters,  receiving  their  input  from  the  common  charger  out¬ 
put  voltage  (+28  volts),  produce  the  remaining  system  dc  voltages. 
Each  converter  voltage  is  virtually  in  parallel  with  the  other 
respective  converter  voltage,  thus  providing  a  dual  redundancy 
of-all  system  dc  supply-voltages. 

3. 3  Glideslope 

The  simplified  block  diagram  of  the  glideslope  station  is  presented 
in  figure  3-1,  As  is  evident  the  configuration  of  the  station  is 
very  similar  to  that  of  the  localizer.  Some  of  the  major  dif¬ 
ferences  are:  (1)  the  glideslope  does  not  possess  either  a  far 
field  monitor  or  an  identification  unit/monitors  (2)  the  glide- 
slope  has  an  antenna  tower  iriis alignment  detector  (3)  triplicate 
near  field  monitors  are  utilized  for  the  glideslope  (4)  no  shut¬ 
down  alert  warning  signal  is  provided. 

The  transmitter  section  is  also  slightly  different.  The  course 
transmitter  delivers  a  UHF  carrier  (328.  6  -  335.4  MHz)  fre¬ 
quency  which  is  amplified/ by  the  10  watt  amplifier.  This  am¬ 
plified  carrier  is  then  delivered  to  the  solid  state  modulator 
where,  as  for  the  localizer,  it  is  modulated  by  90  and'  150  Hz 
tones.  The  two  signals,  C+SB  and  SBO  are  generated  by  the 
modulator.  In  addition  the  modulator  also  provide/)  a  low  fre¬ 
quency  150Hz  signal  used  for  modulating  the  clearance  carrier 
within  the  clearance  transmitter.  The  clearance  signal  is  only 
C+SB  150  Hz. 


3-7 


The  changeover  and  teat  unit  provides  the  same  function  ae  that 
of  the  localizer  -  transfer,  transmitter  signals  of  fhe;main  and 
standby  unit  either  into  the  antenna  system  (including  distribution 
circuits)  or  into  dummy  loads.  Also  within;  the  changeover  and 
test  unit  there  exists  circuitry  for  monitoring  of  the  standby 
transmitter  parameters. 

5 

From  the  changeover  and  test uinit,  the  three  signals  (course 
C+SB,  course  SBO,  and  clearance  C+SB  150)  are  routed  to  the 
distribution  circuits  where  these  signals  are  combined. and 
distributed \to  the  three  2-lambda  glideslope  antennas.  Correct 
phase  relationships  are  established  within  the  distribution,  circuits. 
The  three  2-lambda  antennas  (M-array)  are  identical -and- are  — 
mounted  on  the  tower  at  3  different  heights  (H,  2H,  3H).  H  is 
dependent  both  upon  the.  radiating  frequency  and  thebglide  path 
.angle,.  - 

Proximity  field  detectors  are  employed  to  provide  integral  mon¬ 
itoring  ability  of  the  radiated"signai  parameters.  T-he  UHF  com¬ 
bining  circuits  combine  the  signals  px  ovided  by  the  probes;  so 
that  parameter  monitoring  can  be  accomplished.  The  parameters 
to  be  monitored  are:  path  alignment  (course  position),  carrier 
power  level,  percentage  modulation,  path;  width:( displacement 
sensitivity)  and  the  clearance  signal.  As  in  the  localizer,  tri¬ 
plicate  monitoring  of  all  parameters  is  incorporated. 

In  addition  to  integral  monitoring,  near  field  monitors  are  provid¬ 
ed  to  monitor  the  path  angle  (course  position).  The  near  field 
monitor  antenna  couples  the  appropriate  signal  to  three  parallel' 
monitor  channels.  A  two  of  three  vote  for  monitor  channel  alarms 
is  utilized,.  Since  aircraft  overflights  may  cause  field  distur¬ 
bances  which  will  create  near  field  alarms,  the  alarms  are  de¬ 
layed  a  nt/minal-2  seconds  at  the  control  unit.  "True"  near  field 
alarms  lead  directly  to  station  shutdown. 

As  in  the  case  of  the  localizer,  the  same  standby  parameters  are 
monitored  for  the  standby  transmitting  unit  as  for  the  main 
transmitting  unit.  Again,  only  single  parameter  monitoring  is 
incorporated. 

A  glide  slope  antenna  tower  deformation  monitor  is  employed  to 
verify  the  integrity  of  the  tower.  If  misalignment  or  deformation 
of  the  antenna  tower  persists  fora  nominal  135  seconds,  an 
alarm  is  provided  to  the  control  unit  which  will  shut  down  the 
entire  glideslope  statiot  ,  The  misalignment  detector  is  mounted 
at  the  top  of  the  antenna  tower  and  is  nominally  set  to  detect  a 
five  inch  deflection  at  the  top  of  the  tower. 

The  glideslope  control  unit  utilizes  the  same  printed  wiring  boards 
as  the  localizer.  (Actually  there  is  one  less  board  used  in  the 
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glideslope).  Hence  all  functional  .operations  and  displays  of  status 
are  identical.  For  minor  differences  (such  as  a  misalignment 
detector  alarm  versus  the  far  field  monitor  alarms)  strap  op¬ 
tions  are  employed. 

.  4  Remote  Control  Unit 

•  The  remote  control  unit,  figure  3-3,  receives  inputs  from  the 
localizer  station,.  ;the  glideslope  station,  and  each  of  the  marker 
beacons.  It  is  used  for  the  display  of  all  status  information 
from  these  stations.  It  also  provides  for  remote  cycling  cap¬ 
ability  of  transmitting  units  for  each  station  (cycle  sequence: 
MAIN-OFF-STANBY-OFF). 


Two^ABNORMAL  indications  are  provided  for  each  station  - 
MONITOR  ABNORMAL  and  POWER /ENVIRONMENTAL  ABNOR¬ 
MAL.  The  MONITOR.  ABNORMAL,  lamp  is>  illuminated  whenever: 

•  The  main  transmitter  is  not  operational. 

•  A  mismatch  exists  on  one  of  the  monitor  channel  sets 
(l.e,  one  monitor  channel  out  of  three  is  in  alarm). 

e  A  main  inhibit  is  generated  (note:  a  main  inhibit  inhibits 
the  main  monitor  channels). 
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>•  An  alarm  has  occurred  on  the  standby  rrionitpr  channels 
(the  alarm  may  be  due  to  either  a  failure  in  the  standby 
transmitter  or  in  one  of  the  standby-monitor  channels). 

For  the  localizer,  a  farfield  shutdown  alarmhas  oc¬ 
curred;  for  the  giideslope,,  a  misalignment  detector 
alarm  has  occurred. 

•  The  monitors  locally -bypassed  (MLB5)  mode  of  operation 
is  selected.  (Note  that  under  this  condition  the  /ABNOR¬ 
MAL  lamp -will  be  flashing), 

the  POWER / ENVI RO NMENTAL  ABNORMAL  is  illuminated  when¬ 
ever: 

•  One  of  the  DC/DC  converter  voltages:  fails., 

•  The  temperature  limits  are  exceeded; 

•  The  primary  power  to  either  of  the  two  battery  chargers 
fails. 

•  Either  of  the  battery  chargers  fail, 

•  The  terminal  battery  voltages  drop  below  a  pres'et  level, 

•  For  the  localizer,  a  power/temperature  alarm  occurs 
at  the  far  field  monitor-. 

When  either  of  these  abnormals  are  generated  an  audible  alarm 
is  sounded.  By  depressing  the  SILENCE  switch,  the  audible 
'alarm  is  turned  off. 

An,  ILS  performance  category  status  is  also  provided,  for  visual 
display  at:the  remote  control  unit.  The  Category  III  lamp  is  illu¬ 
minated  only  if  all  of  the  conditions  listed  below  are  satisfied. 

1.  Localizer  main  transmitter  is  oh  the  air, 

2.  Localizer  standby  transmitter  is  available. 

3.  Localizer  far  field  course  monitors  see  th\?  course 
position  parameter  within  Category  III  tolerance  limits 
(adjustable  20  second  time  delay  available). 

4.  Localizer  monitor  channel  inhibit  is  not  present. 

5.  Localizer  terminal  battery  voltage  is  above  a  preset 
level. 

6.  Giideslope  main  transmitter  is  on  the  air. 

7.  Giideslope  standby  transmitter  is  available. 

8-  Giideslope  monitor  channel  inhibit  is  not  present. 
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9.  Glideslope  terminal1  Battery  voltage  is  above  preset 

'  '7T7''j.Sv.eli  ' 

~ n6,^  Quter  marker  beacon  is  on  with  no  rf-leyel  or  identifi- 
—  -5  .  c atio\Lal a rm,. 

11.  Middle  itiarker.  beacon  Is  on' with,  no  rf'level  or  identify 
cation-alarm. 

v2.  Inner  marker  beacon  is  on  w.ith  no  rf level  or  identifi¬ 
cation  alarm. 

T3.  -Distance,  measuring  equipment  fDME)  is  within  tolerr.nce 
(if  applicable),. 

14.  The  "absence”  of  localizer  POWER /ENVIRONMENTAL 
-ABNORMAL  condition.  (A  time  delay  of  up-to  3  hours 
is-used  for -this  condition). 

15.  The  absence  of  glideslope  PO WE R  /ENVIRONMENTAL 
ABNORMAL  condition.  (A  time  delay  of  up  to  3  hours 
is  used  for  this  condition). 

The  Category  Il  lamp  is  illuminated  only  if  all  of  the  conditions 
lifted  below  are  satisfied. 

1.  Either  the  localizer  main  or  standby  transmitter  is  on 
the  air,  provided  that  no  monitor  channel  inhibit  exists. 

2.  Either  tl  e  glideslope  main  or  standby  transmitter  is  on 
the  air,  provided  that  no  monitor  channel  inhibit  exists, 

3.  The  Category  III  indicator  lamp  is  off. 

4i  Outer  marker  beacon  is  on  with  no  rf  level  or  identifi¬ 
cation  alarm. 

5.  Middle  marker  beacon  is  on  with  no  rf  level  or  identifi¬ 
cation  alarm. 

6.  Inner  marker  beacon  is  on  with  no  rflevel  or  identifi¬ 
cation  ala^rm. 

Whenever  a  change  in  performance  category  occurs,  a  momentary 
buzzer  is  triggered. 
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4. 0  PROCEDURE 

The  following  steps  briefly  summarize  the  general  approach 
taken  in -this  analysis.* 

1.  The  functional  block  diagram  of  the  system  is:  drawn, 
exhibiting  all  relevant  signal  flow  paths  between  the 
various  functional  assemblies.  Inaddition  to  the  system 
block  diagram,  detailed  f unc  tio  n al;  d'e-'sc rip tio n s  (such. as 
Boolean  algebraic  expressions  and  simplified  assembly 
block  diagrams)  are  provided  when-  signal  flow  charac'r- 
terizatioh  is  not  readily  attained5  atrthe  system  block 
diagram  level. 

2.  Each  functional  entity  in  the  system  block  diagram  is 
then  analyzed  for  all  possible-failure  modes  which  have 

a  direct  effect  on  the -system  operational  status.  It  should 
be  noted  that  each  failure;  mode  listed,  reflects  actual 
piecepart  failure  effects  at  the  -functional  block  output, 

The  various  failure  mode  effects  and;  system  failure 
indications  are  -then  tabulated. 

3.  Upon'  completion  of  the  tabulation?  of  the  failure  .modes  and 
effects,  the  failure  rate  of  each  failure  mode  will  be 
calculated.  That  failure  rate  is  the  total  failure  rate 

of  all  the  piecepart  components  which,  upon  failure, 
produce  that  functional  failure  mode. 

4.  The  final  step  of  the  FM  EC  A- is  the  verification  that  system 
design,  and  reliability  such  that  the  probability  of  a  poten¬ 
tially  hazardous  failure  during  the  critical  landing  phase 

of  a  Category  III  landing  is  less,  than  l,x  10”^.  This  is 
accomplished  by  developing  mathematical  models  which 
entail  all  conceivable  events  (or  sequence  of  events)  that 
lead  to  one  of  two  probabilities  of  system  failure:  (1)  the 
loss  of  signal  (station  shutdown)  or  (2)  the  radiation  of  a 
hazardous  signal  (out  of  Category  III  tolerance).  The 
probability  math  models  for  each  of  these  conditions  are 
determined  by  utilizing  the  failure  modes  and  effects- 
data .  The  final  calculation  of  the  probability1  of  the 
Category  III  SSILS  mission  failure  is  then  performed. 
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5.  0-  ASSUMPTIONS /CONSIDERATIONS 

The  FMECA  was  not  performed  at  .piecepart  level  but  rather  at  the, 
functional, level,  i.  e. ,  the  level  at  which  one  or  more  distinct 
circuits  serve  a  separate  system  operational  function'.  In  most 
cases  this  fun*. ii'onal  level  neatly  coincides  with  the  assembly 
level  of- the  system.  To  perform  a  piecepart  analysis  on  a  system 
as  extensive  as  the  SSILS  Wes  judged  neither  necessary  .nor 
desirable. 

Priorto  any  failure  both  the  localizer  and  glideslope  are  operat¬ 
ing  on  main  transmitting  units  in  Category  III  performance  status 
'as  indicated  by  the  remote  control  unit  CAT  IILstatus  indicator. 

On  a  per  station. basis,  Category  III  performance  status  simply 
implies  that-(l)  the  main  transmitter  is  on  the  air,  operating 
within  Category  III  tolerance  limits;  (2)  the  standby  transmitter 
is  available  (3)  a  power  or  environmental  alarm  has  not  existed 
over  some  preset  interval  of  time  (3  hours  maximum).  For  de¬ 
scriptive  purposes  within  this  analysis,  transmitting  unit  number 
1  will,  be  considered  as  main  and  transmitting  unit  number  2  as 
standby. 

When  the  monitoring  system  of  the  SSILS  is  functioning  properly 
(no  monitor  malfunctions  present),  radiation  pattern  degradations 
beyond  the  Category  III  tolerance  limits  are  detected.  Hence,  the 
criteria  for  establishing  a  "true  functional  (or  catastrophic)  failure" 
is  that  it  degrades  the  radiated  signal  beyond  the  alarm  limits  of 
the  monitors. 

Only  single  piecepart  failures  (open/short  component  failures) 
are  considered  in  ‘the  determination  of  functional  failure  modes. 
However,  multiple  functional  failure  modes  will  be ‘considered 
for  the  determination  of  hazardous  failure-ponditions. 

The  following  are  excluded -frqm.Ihe  analysis: 

a.  Monitpr  indicator  circu., ^ry  not  affecting  operational 
status  (such  as  alarm  memory  latches,  lamp  drivers, 
bulbs,  metering  circuitry). 

b.  Intercom  circuitry  -  not  vital  for  system  operation, 

c.  Marker  ’deacons  -  not  vital  for  Category  III  operation. 

d.  Heater  resistors  within  the  cabinets  of  the  distribution 
circuits.  Since  distribution  circuitry  failures  are 
considered  in  the  analysis,,  the  cause  of  failure,  temper¬ 
ature  or  otherwise,  is  immaterial  to  this  analysis. 

The  analysis  of  the  remote  control/status  display  is  given  in 
paragraph  10.  With  regards  to  this  analysis,  it  will  be  assumed 
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that  the  operator  will  check  thevtransmitter  status  of  each  staCon 
and, determine  that  the  CAT  111  status  indicator  lamp  is  lit  prior 
to  a  Category  111  landing. 

The  following  failure  mode*,  .are  considered  not  hazardous: 

a.  Loss  or  degradation  of  the  identification  signal. 

b.  Loss  or  degradation  of  the  shutdown  alert  signal. 

c.  Generation  of  an  erroneous  shutdown  alert  signal. 

d.  Loss  of  Category  II  near  field  monitoring  ability. 

e.  Generation  of  erroneous  power /temperature  alarms. 

The  critical  landing  phase  period  for  the  localizer  is  10  seconds; 
for  the  glideslope  5  seconds. 

The  probability  of  failure  P(F)  is  equal  to  Xt. 

Note:  The  probability  of  success  is  given  by  the  expression 

P(S)  =  e'Xt 

Utilizing  the  exponential  expansion, 

Xt*  2  ^ 

P(S)  =  e  r.  1  -At  +  (Xtf  -  (Xt)  + . 

2  6 

For  values  of  kt  <<  1, 

P(S)  =  1  -  Xt 

Therefore  the  probability  of  failure  is: 

F(F)  =  1  -  P(S)  =  1  -  (l  -  Xt)  =  Xt 

External  runway  disturbances  such  as  aircraft  overflights  and 
runway  activity  have  an  adverse  effect  oh  the  radiated  localizer 
signal  at  the  far  field.  The  parameter  of  interest  at  the  far  field 
is  the  difference  in  depth  of  modulation  (DDM).  This  parameter 
is  affected  by  such  disturbances  and,  hence,  is  monitored  at  the 
far  field.  The  loss  of  this  monitoring  can  lead  to  potentially  haz¬ 
ardous  conditions.  An  obstruction  could  exist  between  the  local¬ 
izer  antenna  and  the  far  field  monitor  which  would  not  be  detected 
by  the  integral  monitors  or  the  near  field  monitors.  Hence,  to 
accomplish -the  primary  purpose  of  the  FMECA,  the  probability 
of  external  runway  disturbances  during  the  critical  landing  phase 
of  a  Category  111  landing  must  be  known.  However,  the  calcula¬ 
tion  of  this  probability  requires  a  statistical  analysis  utilizing 
empirical  data.  Since  such  data  is  presently  unavailable,  a  max¬ 
imum  allowable  probability  of  occurance  is  established  within  the 
analysis  of  the  FMECA  and  is  listed  as  an  assumption.  The  as¬ 
sumed  value  of  this  probability  is  1  x  10"^. 
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The  proper  alignment  of  the  gliaeslope  antenna  tower  is  vital  for 
the  radiation  of  correct  signals.  The  alignment  is  monitored  for 
permanent  deformations  due  to  such  natural  forces  as  earth 
v;emors,  strong  winds,  tower  settling,  etc.  This  probability 
ofpermanent  misalignment  (within  the  preventive  maintenance 
cycle  of  a  one  week  period)  must  be  known  for'Jthe  accomplishment 
of.  the  FMECA.  Since  such  a  probability  ie  unavailable  for  this 
analysis,  a  maximum  allowable  value  is  again  assumed.  A 
maximum  number  for  this  occurrence's  1x10“  . 

Coaxial  cables,  connectors,  antennas  and  probes  will  not  be 
treated  independently  for  failure  modes  and  effects,  but  rather 
are  considered  in  the,  analysis  as  part  of  the  functional  block  to 
which  they  are  associated  since  the  analysis  is  performed  at  the 
functional  level. 

The  assignment  of  a  criticality  number  to  each  failure  mode  is  the 
conventional  means  of  performing  a  criticality  analysis.  Such  an 
approach,  hov^everi  tends  to  be  partially  subjective  due  to  weighing 
factors  by  which  „he  criticality  number  is  established.  A  moris 
objective  approach  is:  (1)  to  provide  merely  the  failure  rate  as  a 
representation  of  the  criticality  of,  each  failure  mode;  and  (2)  to 
identify  each  failure  mode  as  being  either  hazardous  or  not 
hazardous.  These  two  items,  moreover,  are  necessary  inputs 
toward  accomplishing  the  primary  purpose  of  the  FMECA  as 
outlined  in  the  procedure.  For  these  reasons  this  approach  will 
be  utilized  for  the  criticality  analysis  of  the  FMECA. 

The  failure  rates  used  in  this  analysis  we're  derived  using  the 
following  considerations: 

a.  Source  of  base  failure  rates  was  RADC  Reliability  Note¬ 
book,  Volume  II,  dated  September  1967.  (RADC-TR-67- 
108) 

b.  Equipment  ambient  temperatures  was  25°  C,  Appropriate 
temperature  rises  were  used  for  the  part  ambients 
depending  upon  their  location  in  the  equipment. 

c.  Environmental  factor  was  "ground  fixed"  as  defined  in 
the  RADC  notebook. 
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6.  0  FUNCTIONAL  BLOCK  DIAGRAMS 

Appendices  A  and  B  contain  detailed  functional  block  diagrams  of 
the  localizer  and  glideslope  respectively.  It  is  at  that  functional 
level  the  FMECA  will  be  performed.  Also  contained  in  the 
appendices  are  all  the  functional  block  diagrams  of  each  major 
assembly.  All  the  various  functional  block  diagrams  may  be 
utilized  to  obtain  a  rather  detailed  understanding  of  system 
operation. 

Two  observations:  should  be  made  concerning  the  general  station* 
block  diagrams.  First,  all  signals  which  can  affect  station 
operational  performance  are  provided  in,  the  diagrams.  Hence, 
only  the  outputs  from  each  functional  block  need  to  be  considered 
for  analysis.  Secondly,  each  functional  block  has  an  identification 
number  by  which  the  results  of  the  tabulated  analysis  may  be 
brought  into  system  perspective.  Additional  clarification  of  tie 
.tabulated  results  of  the  FMECA  can  be  attained  when  the  function¬ 
al  block  is  viewed  at  the  system  level. 

The  detailed  diagrams  of  the  control  unit  for  each  station  should 
be  particularly  useful  for  a  thorough  understanding  of  control 
unit  operation.  The  Boolean  expressions  provided  completely 
characterize  all  major  logic  signals  and  commands.  Hence,  these 
diagrams  should  be  a  tremendous  aid  in  troubleshooting  control 
unit  failures. 


blank 
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7.  0  FAILURE  ANALYSIS 

The  heart  of  the  FMECA  is  the  failure  analysis.  This  analysis 
•identifies  each  failure 4-node,  describes  the  corresponding 
"  ^  failure  effects,  and  lists  the  failure  rate  by  which  its  criticality 
is  measured.  This  failure  analysis  is  performed  in  the  form 
given  in: /figure  7-1.  The  following  clarification  of  terms  should 
be  made  concerning  this  form. 

1.  Failure  Mode:  This  is  the  item  (functional  block)  failure 
mode.  Each-failure  mode- reflects  the' piecepart  failures 
within  the  blocks  that  can  affect  the  output  signals  in  the 
prescribed  failure  mode.  Such  terms  as  ’’loss  of  signal" 
,ar.e  normally  applied  to  any  failure  condition  that  totally 
destroys  the  characteristics  of  a  "good"  signal.  Also 
any  radiated;  signal  that  is  not  degraded  beyond' the  Cate¬ 
gory  III  alarm  limits  is  not  considered  to  constitute  a 
functional  failure., 

2.  Failure  Effect:  Normally  listed  under  this  term  are  the 
immediate  failure  effects  upon  the  system  for  station) 
from  an  operational  standpoint.  Effects  on  radiated 
signals  may  also  be  listed  here.  Occasionally  incorpo¬ 
rated  within  this  column  are  some  conditional  failure 
effect  comments  -  the  effects  upon  the  system  operation 
if  another  failure  were  to  occur. 

3.  System  Operation  After  Failure:  The  system  performance 
category  immediately  after  the  failure  is  revealed  in 
these  columns.  These  indications  correspond  to  the 
performance  indicator  lamps  at  the  Remote  Control 
Tower.  An  "OFF"  condition  exists  if  the  system  is 
neither  in  Category  II  or  Catego-y  III  performance. 

4.  Failure  Indications:  The  abnormal  indication  lights 
which  should  be  lighted  at  the  different  locations  after 
the  failure  occurs  are,  presented  in  these  columns.  The 
Remote  Cbhtrol  column  lists  the  abnormal  indications 
present  at  the  Remote  Control  Tower.  The  Control  Unit 
column  is  normally  used  to  give  the  abnormal  indications 
that  are  displayed  on  the  respective  station  control  unit 
frorit  panel.  The  "other"  column  is  normally  utilized 
for  any  other  display  of  abnormal  indications  such  as  the 
monitor  channel  alarm  lights  or  the  remote  far  field 
monitor  indications.  True  monitor  channel  alarm  light 
indications  are  revealed  only  in  the  monitors -locally 
bypassed  (MLB)  mode  of  operation;  hence,  the  monitor 
alarm  light  indications  presented  here  are  those  that  will 
be  displayed  in  the  MLB  mode  of  operation.  It  should  be 


Figure  7-1.  Failure  Analysis  Form 


realized  that  the  MLB  mode  is  utilized  during  any 
failure  troubleshooting. 

Failure  Rate:  This  column  lists  the  total  failure  rate  of 
the  piecepart  failures  that  can  produce  the  respective 
functional  failure  mode.  The  failure  rate  given  in  this 
column- is  worst  case  since  all  component  failure  rates 
that  can  cause  the  particular  failure  mode  are  included 
regardless  of  the  piecepart  failure  modes.  In  essence 
this  number  is  a  representation  of  the  criticality  of  each 
failure  mode  -  the  larger  the  failure  rate  the  greater  the 
criticality  of  the  failure>mode.  The  failure  rate  number 
given  in  this  column  is  in  terms  of  failures  per  million 
hours.  Failure  rate  identification  is. accomplished  by 
alpha-numeri”  subscripts  of  X.;  The  numeric  portion  of 
the  subscript  applies  to  the  identification  of  the  functional 
block;  the  alphabetic  -portion  identifies  .the  specific  failure 
mode.  Foi-example,  X1B  implies- the  failure  rate  of  the 
second' (B)  failure  mode  of  the  control  unit  (01,v. 

The  results  of  the  failure  analysis  are  provided  in  ’ 
appendices  G  'and  D  for  localizer  and  glideslope  respec¬ 
tively.  The  failure  rates  were  determined  on  separate 
work  sheets- whichf.will  not  be  provided  within  this  report. 
Table  7-1  provides  an  example  of  these  work  sheets,, 
showing  the  failure  rate  calculations  for  two  failure 
modes  of  the  (localizer  control  unit.  All  failure  modes 
listed  in  the  analysis,  are  considered  to  be  hazardous 
unless  specifically  identified  to  be  11  not  hazardous"  in  the 
"remarks"  column. 


Table  T~\.  Failure  Mode  Failure  Rate.  Calculations 
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Table  7-i.  Failure  Mode  Failure  Rate  Calculations  (Continued) 
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8.0  MATH  MODELS 


To  fulfill  the  primary  objective  of  this  analysis,  it  must  be 
verified  that  the  probability  of  a  potentially  hazardous  failure  (a 
loss  of  signal  or  the  radiation  of  a  hazardous  signal)  during  the 
critical  landing  phase  be  less- than  1  x  10"^,  To  achieve  this 
verification,  probability  math  models  are  utilized. 


Figure  8-1  provides  an  illustration, of  a  typical  probability,  math 
model.  As  can  be  seen,'  three  distinct  paths  lead  to  a  failure.  If 
the  event  whose  probability  Is  given  by  Pj  occurs,  a  failure  will 
result.  For  a  failure  to  result  due  to  path  B  events,  all  three 
events  must  occur,  the  probability  of  which  is  given  by  (P  •  P^» 
P^).  Path  C  is  slightly  more  complicated.  Either  event  5  or  2 
event  6  must  occur,  event  7  must  occur,  and  either  event  8,  9,  or 
10  must  occur  to  lead  to  a  failure.  Its  probability  of  occurrance 
is  given  by  f  (P5  +  Pg)1  •  P7  •  (Pg  +  Pg  +  P 1 0 )1  •  The  overall  total 
probability  of  a  failure  (P(F))  due  to  all  three , paths  is  simply  the 
algebraic  sum. 


Rather  than  provide  a  graphical  representation  of  the  probability 
math  models  on  the  ILS  system,  it  is  decided  to  present  only  the 
probability  equations  of  the  jnath  models.  The  graphical  approach 


CATEGORY  III 
PERFORMANCE  -STATUS 
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PATH  B 


PATH  C 


(A) 105703 


p  (F)  »  p,  +  (p2  •  P3  .  P4)  +[(PS+P6)  •  P7  •  (Pa+Pg+Pto)] 


FAILURE 


Figure  8-1,  Example  of  the  Graphical  Representation  of  a 
Probability  Math  Model. 
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would  be  less  than  meaningful  since  adequatei\description  of 
events  could  not  be  provided  The  equations,  of  course,  provide  all 
the  same  information  as>  the  graphical  representation.  In  addition, 
each  path  of  failure  can  be  treated;  independently  by  a  separate 
probability  equation  and  full  description  of  probability,  events  can 
be  provided . 

All  the  math  model  equations  for  the  localizer  and  glideslope  are 
tabulated  in  appendices  E  and  F  respectively.  Each  contains  two 
different  sections  -  the  "loss  of  signal"  probabilities  and  the 
"hazardous  signal  radiation"  probabilities.  The  probability 
expressions  were  formulated  by  considering  each  and  every 
hazardous  failure  mode  listed  in  the  failure  analysis.  Like  events 
(failure  mode  failure  rates  of  similar  failure  effects)  were  grouped 
together  whenever  possible.  For:each  separate  probability  ex¬ 
pression  listed,  all  failure  modes  in  the  failure  analysis  can  be 
identified  byTailure  rate  subscripts.  For  some  probability  cal¬ 
culations,  preventive  maintenance  cycles,  which  are  listed  in. the 
"remarks"  column,  must  be  assumed.  The  reason  for  this  is 
that  a  failure  which  does  not  cruise  a  monitor  alarm  (a  "hidden" 
failure)  can  only  be  located  by  periodic  preventive  maintenance 
procedures.  Worst  case  probabilities  are  often, given  whenever 
the  numerical  result  proves  to  be  negligible.  This  is  done  solely 
for  simplification  purposes. 


9.  0  PREVENTIVE  MAINTENANCE 

One  of  the  secondary  objectives  of  this  analysis  is  to  provide  a 
.  ^commendation  of  how  often  preventive  maintenance  checks  for 
hidden  equipment  failures  should  be  performed1  to  ensure  a  high, 
degree  of  system  integrity.  This  is  a  natural  output  for  the 
FMECA  because  preventive  maintenance  frequencies  must  be 
utilized  in  the  math  models. 

To  determine  the  frequency  of-  preventive  maintenance  checks,  two 
factors  (or  requirements)  must  be  considered:  (;1 )  an  allowable 
probability  of  failure  occurrence;  and  (2)=  an  allowable. frequency  of 
preventive  maintenance  so  that  total  mean  preventive,  maintenance 
time  {iVlPMTj  does  not  exceed  equipment  specification  require¬ 
ments.  The  recommended  frequency  then  will  be  a  suitable  com¬ 
promise  between  these  two  requirements.  Whenever  such  a  com¬ 
promise  cannot  be  .’attained  (either  or  both  requirements  cannot, 
be  fulfilled),  equipment  design  changes  must  be  accomplished  to 
r,educe>the  probability  of  failure. 

In  practice,  a  reasonable  frequency  is  a/.sumed  in  the  math  models 
;and  then  the  total  MPMT  is  calculated  to  verify  that  the  requirement 
is  not  exceeded.  In  assuming  a  preventive  maintenance  frequency, 
the  time  to  perform  the  hidden -failure  check  must  also  be  consid¬ 
ered.  The  charts  showing  the  recommended -preventive  mainte¬ 
nance  task  frequencies  for  the  localizer  and  glideslope  are  re¬ 
spectively  given  in  appendices  G  and  H.  These  charts  incorporate 
the  assumed  frequencies  utilized  in  th«i  math  model  calculations. 

In  addition  to  the  hazardous  failure  modes  consider ed-  in  the  math 
models;  non-hazardous -hidden  failures  identified  in  the  failure 
analyses  are  also  presented  in  the  tables  so  that  the  overall 
MPMT  can  be  calculated.  A  brief  description  o.f  the  preventive 
maintenance  task  is  also  provided  in  the  charts  in  order  to 
estimate  the  time  required  to  perform  the  hidden  failure  check. 
Whenever  one  check  can  be  performed  simultaneously  with  another, 
its  estimated  task  time  is  omitted'from  the  table. 

The  sole  purpose  of  these  charts  is  to  provide  a  listing  of  the 
recommended  frequencies  of  preventive  maintenance  checks  for 
hidden  failures  and  to  show  that  these  are  consistent  with  pre¬ 
ventive  maintenance  requirements.  They  are  not  intended  to  be 
used  per  se  by  field  technicians.  Preventive  maintenance  pro¬ 
cedures  that  are  to  be  used  in  the  field  should  be  much  more 
detailed.  However,  the  frequencies  provided  by  these  charts  should 
be  an  input  for  writing  the  actual  field  procedures. 
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10.0  REMOTE  CONTROL/STATUS  DISPLAY  ■ 

The  status  display  unit  is  similar  to  the  remote  control  unit 
^except  that  it  does  not  possess  transmitter  cycle  capabilities  and 
does  not  have  a  telephone.  Hence,  any  analysis  of  the  remote 
control  unit  services  equally  well  for  the  status  display  unit, 

A  simplified  functional  block  diagram  of^the  remote,  control  unit  is 
given  in  figure  10-1.  As  seen  in  the  diagram,  only  one -control 
signal  for  each  station  is  an  output  from  the  unit.  \11  other 
signals  pertain  to  status  only  and  as  such  cannot  affect  the  actual 
radiated  signal.  The  cycle  control  line'failure  mode  is  treated 


Figure  10-1,  Remote  Control  Unit 


Preceding  page  blank 
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within  the  framework  of  control,  unit  failure  modes  for  each 
station;  hence,  only  an  analysis  ot  ^status .^signal's  is  necessary. 

A  detailed  analysis  of  this  unit  is  not  necessary  since  the  FMECA 
pertains  only  to  a  Category  III  performance  status  analysis.  From 
an  intuitive  standpoint,  only  two  revslant  failure  modes  exist  for  the 
unit:  { J.r),  circuit  failures  causing  the  Category  III  performance  lamp 
to  be  extinguished;  and '(2)  circuit  failures  causing  the  Category 
III  performance  lamp  to  remain  "on"  continuously,  regardless  of 
station  performance.  The  first  of  these  failure  modes  is  not 
hazardous.  If  an  aircraft  is  just  beginning  (or  already  in)  the 
critical  landing  phase,  a  safe  Category  III  landing  may  be  accom¬ 
plished  since  the  radiated  signal  is  unaffected.  Although  station 
failures  could  coriceiveably  occur  within  that,  same  10  second 
critical  landing  phase  period,  'the  probability  is  totally  negligible. 
The  maximum  probability  of  this  event  is  given  by  the  expression: 

pmax  =  Requirement  ‘  Rci  '  10sec) 
wher<!  Requirement  =  1  x  10‘7  ,sPe<:ified) 

and  \  is  thefailure  rate  of  the  remote  control  unit 
RC  J1 

circuitry  that  can  cause  the  lamp  to  be  extinguished. 

To  simplify  matters,  let  =  '100  x  10~^  failures  per  hour 

as  worst  case.  Then, 

PllAV  =  (i  x  lO"7)  (100  x  10'6)  (  10/3600) 

MAX 

=  2. 777  x  10”14 

The  second  failure  mode,  circuit  failures  causing  the  Category 
III  perforlhance  lamp  to  remain  lit,  is  potentially  hazardous  since 
the  "true"  status  of  the  radiated  signal  is  not  recognizable.  How¬ 
ever,  if  it  is  assumed  that  the  operator  check  the  transmitter 
status  of  each  station  prior  to  a  Category  III  landing,  the  severity 
of  the  hazardous  condition  is  greatly  reduced.  In  face,  the  only 
potentially  hazardous  condition  that  then  can  exist  is  that  the 
localizer  signal  be  out  of  Category  III  tolerance  at  the  far  field. 

All  other  potentially  hazardous'  conditions  are  recognizable 
through  other  status  indications  on  the  remote  control  unit.  The 
reason  for  this  is  that  the  far  field  Category  III  disable  signal 
affects  only  category  performance  status.  It  is  not  processed 
by  the  localizer  station  and,  hence,  there  is  no  redundant  status 
display  associated  with  it.  The  out-of-Category  111-toierance 
condition  at  the  far  field  is  due  so.ecy  to  external  runway  and 
overflight  disturbances. 

Since  an  initial  evaluation  of  this  potentially  hazardous  failure 
mode  revealed  its  probability  was  too  high,  design  changes  were 
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incorporated  to  provide  redundancy  and,  thus,  lower  considerably 
the:  probability  of  this  potentially  hazardous  occurrence.  The  new 
probability-expression  is  given  by: 
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where  X. 


RC2 


the  failure  rate  of  the  remote  control  far,  field 
alarm  processing,  circuitry  which  can  cause 
the  Category  III  performance  lamp  to  remain 
illuminated,  without  redundancy. 


REDUND 


RC 


=  the  failure  rate  of  the  redundancy  circuitry 
that  can  cause  the  Category  III  performance  lamp 
to  remain  illuminated. 


P  =  10“ (assumed  value)  =  the  probability  that  the 

,CSEpp^  localizer  ILS  signal  will  be  out  of  Category  III 
DDM  tolerance  at  the  far  field  due  to  external 
runway  distrubances  during  the  critical  landing 
phase  of  a  Category  III  landing. 


The  calculated  failure  rate  figures  are  given  below: 

X  =  1.  141  x  10“ 6  failures  per  hour 

RCZ 


^REDUND  =  0.268  x  10“^  failures  per  hour 
RO 

Hence,  the  new  probability  is: 

P  =  (1.  141  x  10"6  -  168)  (10“3)  (0.268  x  10"6  •  168) 
RC*  »2 

=  8. 636  x  10 

With -the  redundancy  in  the  design  incorporated,  the  probability 
of  this  potentially  hazardous  failure  mode  becomes  negligible. 


10-3/10-4 


T* 


11.0  RESULTS /CONCLUSIONS 

Overall  failure  probabilities  are  readily  calculated  from  the  math 
model  tables  by  simple  addition.  Tables  11-1  and  11-2  enumerate 
the  failure  probabilities  for  the  localizer  and  glideslope  respectively. 
Table  11-3  provides  a  resultant  failure  probability  summary.  As 
can  be  seen,  the  overall  probability  of  mission  failure  is  0.  89345  x 
10"^  which  is  less  than  1  x  10“^,  the  specified  requirement.  Hence, 
the  primary  purpose  of  this  analysis  has  been  accomplished. 


Table  11-1.  Total  Localizer  Hazardous  Signal  Probability 


A.  Localizer  Shutdown  Probabilities 


1. 

2'. 

3. 

4. 

5. 

6. 

7. 

8. 

9. 

10. 

11. 

12. 

13. 

14. 

15. 

16. 


ps! 

PAB 

PAC 

PAD 


‘  STJBY  CSE 
:  STBY  SEN! 

3stby  cl: 

STBY  ID* 
STBY5 
3pS/CONV? 
CSE/ID' 
3SENJ 


CL 

3NF 

D 

FF 


INHIB* 


3.  912  x  10~8 

3.  516  s.  10  ~14 
1. 227  x  10  -*1 
9.  226  x  10"13‘ 
1. 722  x  10-14 
2.982  x  10-15 
1.802  x  10“14 
1. 665  x.40"16 
9. 837  x  10"15 
9.906  x  10" 11 
5. 106  x  10” 10 
2. 090  x  10"10 

4.  540  x  10"10 
1. 422  x  10-10 
6.  081  x  10" 10 
6. 822  x  10“9 

PSD  a  “A 


39. 120  x  10"9 
0.  000  x  10"9 


0.012  x  10' 
0.  001  x  10 
0. 000  x  10 
0. 000  x  10 
0.000  x  10 
0.  000  x  10 
0.  000  x  10 
0. 099  x  10 

0. 511  x  10 


-9 

-9 

-9 

-9 

-9 

-9 

-9 

-9 


0.  209  x  10“ 


0. 454  x  10 
0.  142  x  10 
0.  608  x  10 
6.  822  x  IV, 


-9 

-9 

-9 


4L  978  x  10' 


11-1 


Table  11-1.  Total  Localizer  Hazardous  Signal 
Probability  (continued) 


B. 


Localizer  Hazardous  Signal  Radiation  Probabilities 


1. 

p<hs)cse  ddm: 

1. 287  x 

2. 

5.  555  x 

3. 

p(hs,ose  ddm! 

4.  971  x 

4. 

p(HS'»cserf! 

1. 502  x 

5. 

p<hs'sen: 

1.  354  x 

6. 

P<HS>Ct.  DDM: 

3.  584  x 

!0-15 

- 

"  -T 

0. 000  X  10 

o 

1 

o 

= 

0. 556  X  io"9 

io-10 

Jg 

0. 497  x  10‘9 

10"9 

= 

1.  502  x  10"9 

.o-10 

= 

-9 

0.  135  -x  10 

io~9 

= 

3.  5.84  x  10"9 

.  n  VB 

6.274  x  10~9 

TOTAL 


LOCALIZER 


=  P  +  P 
SD  HS 


54.  252  x  10 
0.  54252  x  10 


A. 


Table  11-2.  Total  Glideslope  Hazardous  Signal  Probability 
Glideslope  Shutdown  Probabilities 


1. 

P  : 

S 

2. 197  x 

2. 

PAB: 

2. 691  x 

3. 

PAC: 

5.  884  x 

4. 

PAD: 

1.  503  x 

5. 

PSTBY  CSE: 

9.  045  x 

6. 

PSTBY  SEN*’ 

1. 648  x 

7. 

PSTBY  CL5 

2. 282  x 

8. 

p 

STBY* 

2. 314  x 

9. 

P 

CONV 

1.  814  x 

10. 

P  : 

CSE 

1.  815  x 

11. 

P  * 

SEN* 

1.  035  x 

12. 

P 

CL 

1.  908  x 

13. 

NF* 

l.  403  x 

14. 

P1NHIB5 

3. 411  x 

m8 

— 

21. 970 

X 

io-9 

io'15 

S 

0.  000 

X 

io"9 

IO'12 

= 

0.  006 

X 

io”9 

■  <r15 

= 

0.  000 

X 

io"9 

.o'15 

= 

0.  000 

X 

10~9 

io-15 

- 

0.  000 

X 

10“9 

io-15 

- 

0.  000 

X 

io'9 

io'15 

0.  000 

X 

io~9 

io'i3 

= 

0.  000 

X 

io'9 

o 

f—i 

t 

o 

= 

0.  182 

X 

!0“9 

o 
■ « 

1 

o 

• 

0.  104 

X 

io”9 

►— * 

o 

1 

o 

= 

0.  191 

X 

io"9 

o 

s 

*— * 

o 

= 

0.  140 

X 

io"9 

o 

1 

>o 

3.  411 

X 

io-9 

3  =  SA 

SD 

26.044 

X 

10“9 
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Table  11-2.  Total  Glideslope  Hazardous  Signal 
Probability  (continued) 

3'.  Glideslope  Hazardous  Signal  Radiation  Probabilities 
1.  E(HS) 


2.  P(HS) 


3. 

4. 


P(HS) 

P(HS) 


CSE  DDM 
CSE. SDM 5 
CSE  RF: 
SEN5 


5.  P(HS)  : 

^L 


6.  P(HS) 


ATM' 


:8;  989  x 

io-!6 

- 

0;  ooo 

O 

.1 

o 

pH 

X 

4.  558  x 

io-10 

= 

0.  456 

x  io"9 

1.  248  x 

10-9 

- 

1.  248 

x  io"9 

1.  518  x 

i0-10 

= 

0.  152 

x  10“9 

1. 427  x 

■10-9 

.= 

1.  427 

x  10“9 

5.  806  x 

10~9 

£ 

5.  806 

x  lb"9 

P, 

=  i:B 

TO 

9.  089 

x  io"9 

>totalgudeslope  =  PsD  +  P»s 


=  35.  110  X  10 

=  0.35110x10' 
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Table  11-3.  Probability  Summary 


A.  Localizer: 


(1)  Shutdown  (Loss  of  Radiated  Signal):'  47.978  x  10 


(2)  Radiation  of  Hazardous  Signal 
B.  Glideslope: 


6.274  x  10 


-9 

-9 


(1)  Shutdown  (Loss  of  Radiated  Signal):  26.004  x  10 


v(2)  Radiation  of  Hazardous  Signal 


C.  Tot 


f..' 


9. 089  x  10 
89.  345  x  10* 


-9 

-9 


or  0.  89345  x  10 
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To  achieve  this  primary  objective,  however,  circuit  design 
changes  /modifications  as  dictated  by  the  FMECA  had  to  be  ac¬ 
complished.  The  following  is  a  listing  of  these  changes/modifica¬ 
tions. 

1.  The  SDM  strap  option  will  be  employed  for  the  localizer 
near  field  and  far  field  monitor  channels.  The  SDM 
alarm  limits,  however,  'will  not  be  to  Category  III 
limits,  but  rather  to  some  less  stringent  value  which 
will  provide  an  alarm  output  when  a  total  loss  of  input 
signal  exists.  The  SDM  anu  DDM  alarms  will  be  "or'd" 
internal  to  the  monitor  channel,  thus  providing  one 
general  alarm  output  for  alarm  processing  in  the  control 
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unit.  The  SDM  strap  option  will  aiso^be  utilized  for  the 
glideslope  near  field  monitor  channels. 

2.  If  a  continuous  main  monitor  inhibit  is  generated  in  the 
control  unit,-  a  downgrading  of  category  status  indication 
(neither  category  III  or  II)  will  occur  at  the  remote 
control  unit.  In  this  way  totakloss  of  all  monitoring 
due  to  inhibit  circuitry  failures  will  be  remotely  recog¬ 
nizable. 

3.  Additional  redundancy  in  the  far  field  monitor  combining 
logic  has  been  employed  to  reduce  the  probability  of  the 
loss  of  the  far  field  Category  III  monitoring  capability. 

4.  Redundancy  circuitry  has  been  incorporated  in  the  control 
unit  to  provide  direct  remote  status  indication  (perfor¬ 
mance  category  downgrade)  whenever  a  "transfer  condi¬ 
tion"  exists.  This  redundancy  significantly  reduces  the 
probability  of  radiating  a  hazardous  signal  due  to 
control  unit  processing  circuit  failures. 

5.  Redundancy  has  been  employed  in  the  remote  control/ 
status  displays  units  to  extinguish  the  Category  III 
performance  light  whenever  a  far  field  Category  III 
disable  signal  occurs. 

6.  An  antenna  misalignment  detector  test  feature  has  been 
incorporated  into  the  design  to  allow  for  a  "quick  and 
easy"  check  of  its  integrity.  This  was  required  to  comply 
with  preventive  maintenance  requirements. 

To  confirm  that  the  preventive  maintenance  frequencies  assumed 
within  this  analysis  are  consistent  with  the  requirements,  a 
quick  comparison  of  the  assignments  made  in  appendices  G  and  H 
with  the  equipment  specification  is  in  order.  The  equipment 
specification  states  that  a  mean  preventive  maintenance  time 
(MPMT)  of  one  hour  in  336  hours  of  equipment  operation  for 
any  station  is  allowable.  The  total  MPMT  estimated  for  localizer 
hidden  failures  is  21.9  minutes  in  336  hours  of  equipment  opera¬ 
tion;  the  total  MPMT  for  the  glideslope  hidden  failures  is  14.  0 
minutes  in  336  hours  of  equipment  operation. 

As  another  outgrowth  of  the  FMECA  the  following  general  dis¬ 
cussion  on  redundancy  has  evolved: 

e  In  the  general  design  of  electronic  equipment,  standard 
design  procedures  such  as  use  of  high  reliability  parts 
and  minimization  of  circuit  components  do  not  necessarily 
ensure  that  system  design  is  optimum  from  a  performance 
standpoint.  To  obtain  a  high  degree  of  system  perfor- 
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mance,  redundancy  of  equipment  hardware  has  often 
been  employed  in  design.  This  is  a-  very  effective  means 
when  utilized  correctly.  Unfortunately,  the  full  advant¬ 
ages  of  redundancy  are  often  overlooked. 

•  To  exhibit  the  optimum  use  of  redundancy  in  equipment 
design,  the  examples  of  figures  11-1  and  11-2  are 
provided.  Assume  that  each  of  the  monitor  channels 
monitors  the  same  system  parameter.  Triplicate  i-e- 
dundancy  has  been  incorporated  in  the  monitoring  cir¬ 
cuitry,  requiring  a  2  of  3  vote  for  monitor  alarm  pro¬ 
cessing  in  the  control  logic.  Figure  Tl-1  illustrates 
the  typical  approach  {minimum  circuit  complexity) 
utilized,  in  circuit  design  (redundant  control*  logic  ex¬ 
cluded).  However,  when  calculating  the  probability  of 
loss  of  the  parameter  monitoring  ability  (P(F)j^d),  an 
interesting  observation  results.  The  desirable  features 
of  triplicate  monitoring  are  partially  lost  due  to  the 
control  logic  and  "OR"  gate  (Pql  an{*  ^OR  respectively). 
It  is  these  circuit  components  that  limit  the  reduction  of 
the  probability  of  failure.  Hence,  all  the  additional 
circuitry  incorporated  for  triplicate  monitoring  is 
rendered  partially  useless  in  minimizing  the  probability 
of  failure. 


monitor 

CHANNELS 


note:  partial  reounoancy 

P  <P>NR 
P  (p>NR 


M 


+  P  r 


+  P 


OR 


+  P 


CL 


“  I  0“  8  +  1 0“  ’ 8  +  I  0”  6  +  1 0”  5 


I  REDUNDANT  I 
f  H  CONTROL  I 

I 

I  Prl 


«  1  .  1  X  10-5  (NO  REDUNDANT  LOGIC) 

“  pM2  +  PG3  +  pOR  +  PCL  ‘  PRL 
»  I  0“  8  +  I  0~  1  0  +  1 0“  6  +  to”5’  1 0' 
slO'6  (WITH  REDUNOANT  LOGIC) 

(A)  105705 

Figure  11-1.  Logic  Illustrating  2  of  3  Vote  of  Monitors  for  Control 

Processing  (dashed  lines  illustrates  partial  redundancy). 


p  (p)R 


— 1 

\J  •  2  +  2  -3  +  1  -3) 

CONTROL 

LOGIC 

_ 

'OR 

PCL 

TYPICAL  VALUES 

PM  "  »°"4 
pG  »  10"6 
pOR  n  t0“® 
pCL  “  to"8 

5  PRL  "  ,0"5 
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•  An  improvement  of  the  original/design  results  with  the 
additional  redundant  control  logic  (dashed  lines).  The, 
new  probability,  (P(F)^)  calculation  shows  that  there  is 
roughly  an  improvement  by  one  order  of  magnitude, 
utilizing  typical  values.  However,  as  the  new  calcu¬ 
lation  illustrates,  the  true  advantageous  features  of 
triplicate  monitoring  are  still , not  attained.  A  "bottle- 
neck"  limiting  factor  is  still  present  -  the  "OR"'  gate 
(pOR)* 


MONITOR 

CHANNELS 


ST  I0“8  (WITH^OPTIMUM  REDUNDANCY) 

(A)  105706 

1-igure  11-2.  Logic  Illustrating  2  of  3  Vote  of  Monitors  for 
Control  Processing  with  Optimum  Redundancy 

•  Figure  11-2  is  an  illustration  of  the  optimum  design, 
utilizing  redundancy.  With  the  additional  "OR"  gate  in¬ 
cluded,  the  full  advantages  of  redundancy  are  attained 
since  the  limiting  factor  is  now  the  monitor  channels. 
One  final  observation  should  be  pointed  out  concerning 
this  matter  -  the  addition  of  a  single  redundant  gate  has 
decreased  the  probability  of  failure  two  orders  of  mag¬ 
nitude,  utilizing  typical  values.  In  summary  then,  it  is 
vitally  important  to  incorporate  redundancy  correctly 
if  redundancy  is  to  be  incorporated  at  all. 
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The  following  enumerates  the  general  conclusions  resulting  from 
the  FMECA: 

1.  If  the  assumptions  made  within  this  analysis  prove  to  be 
reasonably  valid,  the  probability  of  either  (1)  a  loss  of 
signal  or  (2)  the  radiation  of  a  potentially  hazardous 
signal  during  the  critical  landing  phase  of  a  Category 
Iirianding  is  less  than  1  x  10“7  for  Texas  Instruments 
Incorporated  Category  III  ILS>  system.  The  validity  of 
the  result  of  the  overall  hazardous  failure  probability 

is  enhanced  since  worst  case  analysis  were  often  em¬ 
ployed. 

2.  Single  equipment  failures  which  can  lead  directly  to 
station  shutdown  are  the  major  contributors  which  limit 
the  reduction  of  the  probability  of  a  hazardous  failure. 
Hence,  to  achieve  further  improvement  of  equipment 
design  and  reliability,  additional  redundancy  in  major 
non- redundant  circuits  3uch  as  the  control  unit  is  re¬ 
quired. 

3.  Due  particularly  to  the  redundancy  that  has  been  incor¬ 
porated  into  the  design  as  a  result  of  the  FMECA,  the 
probability  of  the  radiation  of  a  potentially  hazardous 
signal  ha.s  become  insignificant  compared  to  shutdown 
probabilities.  The  design  modifications  have  made  the 
triplicate  monitoring  utilized  in  the  Category  III  system 
optimum  since  the  "bottleneck"  factor  is  the  monitor 
channels  themselves. 

4.  Since  all  hidden  failure  modes  are  identified  in  the 
FMECA,  the  results  of  the  analysis  serve  as  an  ex¬ 
cellent  input  for  the  writing  of  preventive  maintenance 
procedures.  The  frequencies  of  these^preventive  main¬ 
tenance  checks  stratified  within  this  report  are  based 
upon  allowable  probabilities  of  occurrence  and,  hence, 
should  be  followed  very  closely  in  field  performance. 

5.  Troubleshooting  system  failures  should  be  greatly 
facilitated  by  utilizing  both  the  functional  block  diagrams 
and  the  failure  mode  and  effects  analysis  data. 


11-7/11-8 


12.0  REFERENCES 

The  references  used  in  development  of  this  analysis  are  listed 
below: 

"Aerospace  Recommended  Practice  926",  Society  of  Auto¬ 
motive  Engineers,  Inc.  ,  New  York,  New  York,  September 
15,  1967. 

"Annex  10  -  Aeronautical  Telecommunications,  Volume  I", 
International  Civil'  Aviation  Organization,  2nd  Edition, 

April  1968. 

"RADC  Reliability  Notebook,  Volume  II",  Technical  Report 
No.  RADG-TR-67~108j  September  19,6?. 

"Reliability  Engineering",  ARINC  Research  Corporation, 
Prentice  Hall',  1964. 

"Reliability  Requirements  for  Safe  Ail  Weather  Landings"; 
Adkins,  L.  A. ;  Thatro,  M.  C,\  Proceedings  of  the  7th  Re¬ 
liability  and  Maintainability  Conference,  San  Francisco, 
California,  July  14-17,  1968. 


Appendix  A 

Localizer  Detailed  Functional  Block  Diagrams 


Appendix  A 

Localizer  Detailed  Functional  Block  Diagrams 

This  appendix  consists  of  detailed  functional  block  diagrams  for 
the  localizer.  Figures  A-4.  through  A- 19  cover  the  numbered 
blocks  in  figures  A-l  and  A-2  (localizer  and  localizer  far  field 
monitor.).  Figure  A- 3  and  the  accompanying  table  A-l  detail 
the  localizer  control  unit. 


Table  A-l.  Definition  of  Signal  Names  (Localizer  Control 
Unit,  Figure  A-3) 


Narrie 


■^bat! 
aconv: 
afe„  : 


PE 


RC- 


As5 


AS(D): 


SM' 


Definition 

Alarm  due  to  a  drop-in  the  main  battery  voltage, 
Alarrmon  one  of  the  DC /DC  converter  voltages. 

Far  field  shutdown  alarm. 

Power/environmehtal  alarm  sent  to  remote  control. 

Alarm  due  to  standby  monitors. 

Alarm  due  to  standby  monitors,,  delayed. 

Alarm  due -to  standby  monitors,  memorized. 


AB: 

abmon: 
ABW_  : 

MONrc 

AC: 

BC: 

BLINK: 

C: 

CANT: 

CANT: 

cr 

cz: 

CAT  nRC: 
CAT  inRC: 


Abnormal  condition  signal. 

Abnormal  condition  signal  due  to  monitor  channel 
alarm. 

Monitor  alarm  :sent  to  remote  control. 


AC  power  alarm  from  cone  pf  the  two  battery  charg¬ 
ers. 

Battery  charger  alarm  from  one  o.f  the  two  chargers. 

Blinker  output  signal,  a  square  wave  oscillator. 

Cycling  command  signal  for  transmitters. 

Command  to  have  transmitter  not  1  connected  to 
the  antenna. 

Command  to  have  transmitter  no.  2  connected  to 
the  antenna. 

Command  to  turn  on  transmitter  no,  1. 

Command  to  turn  on  transmitter  no.  2. 

Signal  to  remote  control  used  to  determine  Category 

II  status. 

Signal  to  remote  control  used  to  determine  Category 

III  status-. 
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Table  A-l. 

DefinitTcrrof  Signal  Names  (Localizer  Control 

Unit,  Figure  A-3)  (Continued) 

Name 

Definition 

CONTROL: 

Cycie  command  (MAIN,  ST.BY,  or  OFF). 

CLir 

Category  III  DDM  clearance  alarm,  monitor  no.  1. 

CL12; 

Category  ill  DDM  clearance  alarm,  .monitor  no.  2. 

CL.3‘ 

’  Category  III  DDM  clearance  alarm,  monitor  no.  3. 

CL21: 

C 

Category  III  SDM  clearance  alarm,  monitor  no,  1. 

?L22: 

Category  III  SDM  clearance  alarm,  monitor  no,  2. 

CL23: 

Category  III  SDM  clearance  alarm,  monitor  no,  3. 

CL31: 

Category  III  RF  clearance  alarm,  monitor  no.  1. 

CL32; 

Category  III  RF  clearance  alarm,  monitor  no.  2. 

CL33! 

Category  III  RF  clearance  alarm,  rnonitpr  ho,  3. 

CSEU: 

Category  III  DDM  course  alarm,  monitor  no,  1. 

«5E12: 

Category  III  DDM  course  alarm,  monitor  no.  2. 

CSEn; 

Category  III -DDM  course  alarm,  monitor  no.  3. 

CSE2i: 

Category  III  SDM1  course  alarm,  monitor  no.  1. 

CSE22! 

Category  III  SDM  course  alarm,  monitor  no.  2, 

CSE23: 

Category  III' SDM  course  alarm,  monitor  no.  3. 

CSE3!! 

Category  III  RF  course  alarm,  monitor  no.  1. 

CSE32: 

Category  III  RF  course  alarm,  monitor  no.  2, 

CSE33! 

Category  III  RF  course  alarm,  monitor  no.  3. 

C5E  111: 

Category  11  DDM  course  alarm,  monitor  no.  1. 

CSE  112: 

Category  II  DDM  course  alarm,  monitor  no.  2. 

CSE  113: 

Category  II  DDM  course  alarm,  monitor  no.  3. 
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Table  A— 1.  Definition  of  Signal  Names  (Localizer  Control 
Unit,  Figure  A-3)  (Continued)- 


Name 

Definition 

lff  : 

GO 

Far  field  "good  condition"  status  lamp  signal. 

lff  5 

MM 

Far  field  monitor  mismatch  status  lamp  signal. 

lff  : 

PE 

Far  field  power /environmental  status  lamp  signal. 

L 

FFs 

Far  field  shutdown  status  lamp  signal. 

ln: 

Normal  status-  lamp  signal. 

ltemp: 

Temperature  alarm  status  lamp  signal. 

lmlb: 

Monitors  locally  bypassed  status  lamp  signal. 

lmm: 

Monitor  mismatch  status  lamp  signal. 

Ls: 

Shutdown  status  lamp  signal. 

Ly  5 

X1 

Transmitter  no.  1  connected  to  antenna  status 
lamp  signal. 

L  : 

X 

2 

Transmitter  no.  2  connected  to  antenna  status 
lamp  signal. 

LOC: 

Local  control  of  transmitting  unit. 

LT: 

Transfer  signal  memorized. 

macl; 

Clearance  monitor  alarm. 

1 

Course  monitor  alarm,  Category  II  alarm  limits. 

MAcsEm: 

Course  monitor  alarm,  Category  III  alarm  limits. 

maid! 

Monitor  alarm,  2  of  3  ID  monitors. 

MANF(D): 

Near  field  monitor  alarm  which  is  delayed. 

MAS: 

Shutdoym  command  from  monitor  alarms. 
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Table  A-l.  Definition  of  Signal  Names  (Localizer  Control 
Unit,  Figure  A-3)  (Continued) 


Name 

Definition 

masen: 

Sensitivity  monitor  alarm. 

MAt: 

Transfer  command  from  monitor  alarms. 

MAIN: 

Main  transmitter  "on"  status  signal,. 

MAINrc: 

Signal  to  remote  control  used  to  determine  MAIN 
status. 

MLB: 

Monitors  locally  bypassed. 

MMcl: 

Clearance  monitor  mismatch. 

mmcl/nfs 

Clearance  or  near  field  monitor  mismatch. 

MM  : 

CSE111 

Course  monitor  mismatch,  Category  111  alarm 
limits. 

MMff: 

Far  field  monitor  mismatch. 

MM  ! 

Monitor  mismatch,  1  of  3  I  D  monitors. 

MNINF(D): 

Near  field  monitor  mismatch  which  is  delayed. 

mmsenj 

Sensitivity  monitor  mismatch,  Category  111  alarm 
limits. 

NF  1: 

Category  11  DDM  near  field  alarm,  monitor  no.  L, 

NF  2: 

Category  II  DDMimear  field  alarm,  monitor  no.  2. 

OFF: 

! 

Both  transmitters  "off"  status  signal. 

O 

o 

Signal  to  remote  control  used  to  determine  OFF 
status . 

ON/OFF: 

Front  panel  control  unit  power  supply  control. 

REM: 

Remote  control  of  transmitting  unit. 

RESET: 

Signal  to  reset  alarm  memory  latches. 

SCL-' 

Standby  clearance  monitor  alarm  -  DDM,  SDM 
or  RF  with  Category  III  limits. 

SCSE: 

Standby  course  monitor  alarm  -  DDM,  SDM,  or 

RF  with  Category  III  limits. 

A- 6 


Table  A-l.  Definition  of  Signal  Names  (Localizer  Control 
Unit,  Figure  A-3)  (Continued) 


Transmitter  no.  1  is  selected  as  main. 

Transmitter  no.  2  is  selected  as  main. 

Selection  of  transmitter  no.  1  memorized. 

Selection  of  transmitter  no.  2  memorized. 

Shutdown  alert  signal  due  to  near  field  monitors. 
Category  III  DDM  sensitivity  alarm,  monitor  no.  1. 
Category  III  DDM  sensitivity  alarm,  monitor  no.  2. 
Category  III  DDM  sensitivity  alarm,  monitor  no.  3. 

Standby  transmitter  "on"  status  signal. 

Signal  to  remote  control  used  to  determine  STAND¬ 
BY  status. 

Temperature  alarm  inside  main  cabinet. 

Transfer  command  due  to  XFR1  or  XFR2  (redun¬ 
dant  for  remote  recognition). 

Transfer  command  due  to  course  and  sensitivity 
(redundant). 

Transfer  command  due  to  clearance  and  near  field 
( redundant). 

Sum  of  shutdown  alert  and  ID  tone  no.  1. 
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Table  A- 1.  Definition  of  Signal  Names  (Localizer  Control 
Unit,  Figure  A-3)  (Continued) 


Name 

Definition 

XMTR  No.,  2 

(shutdown  warn- 

ing/ID  no.  2)1 

.Sum  of  shutdown  alert  and  .ID  tone  no,  fr. 

+  12V  CONTROL: 

| 

Control  signal  to  turn  on  monitor  channels. 

-18V: 

A  common  -18v  from  £he  two  DC/DC  converters^ 

-‘V 

-18  volts  from  converter  no.  1. 

-18  volts  from. converter  no.  2. 

+  28V  BATT: 

The  voltage  of  rhe  main  batteries. 

+5r 

+5  volts  from,  converter  no.  1. 

+52;  ' 

+5  volts  from  converter  no;  2. 

-50^ 

-50  volts  from  converter  no.  1. 

, 

-50  : 

-50  volts  from  converter  no.  2. 

2 
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Figure  A-l.  Localizer  Station 
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Figure  A-3.  Localizer  Control  Unit 
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Figure  A-7,  Identification  Unit 
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Figure  A-8.  VHF  Changeover  and  Test  Assembly 
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Figure  A-ll.  Battery  Charger 
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Figure  A- 13.  VHF  Peak  Detectors 
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Figure  A -17.  Far  Field  Monitor  Battery  Charger 


LOCALIZER  FUNCTIONAL  BLOCK 
DIAGHAM  . 


Figure  A-18.  Far  Field  Monitor  Dc/Dc  Converter 


A -28 


A-29/A-30 
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Appendix  B 

Glideslope  ‘Detailed  Functional  Block  Diagrams 


This  appendix  consists  of  detailed  functional  block  diagrams  for 
the  glideslope.  Figures  B-3  through  B-13  cover  the  numbered 
blocks  for  figure  B-l.  Figure  B-2  and  the  accompanying  table 
B-l  detail,  the  glideslope  control  unit. 
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'Table,  .B- 1'.  Defhiition-of  Signal  Names  (Glideslope  Control 
Unit,  Figure  B-2) 


Name 


Definition 


BAT* 


CONV' 

amd: 


PE 


RC 


As: 


S(D)’ 

ASM: 
AB: 
AB 


MON' 


AB 


MON 


RC 


Alarm  due  to  a  drop  in  the  main  battery  voltage. > 
Alarm  on  one  of  the  DC/DC  converter  voltages. 
Misalignment  detector  alarm  with  inhibit. 

Power /environmental  alarm  sent  to  remote  control. 

Alarm  due  to  standby  monitors. 

Alarm  due  to  standby  monitors,  delayed. 

Alarm  due  to  standby  monitors,  memorized. 
Abnormal  condition  signal. 

Abnormal  condition  signal  due  to  monitor  channel 
alarm. 

Monitor  alarm  sent  to  remote  control. 


AC: 

BC: 

BLINK: 

C: 

CANT: 

CANT: 


cr 

C2: 

catiirc 

CAT  III 


RC' 


AC  power  alarm  from  one  of  the  two  battery  charg¬ 
ers. 

Battery  charger  alarm  from  one  of  the  two  chargers. 

Blinker  output  signal,  a  square  wave  oscillator. 

Cycling  command  signal  for  transmitters. 

Command  to  have  transmitter  no.  1  connected  to 
the  antenna. 

Command  to  have  transmitter  no.  2  connected  to 
the  antenna. 

Command  to  turn  on  transmitter  no.  1. 

Command  to  turn  on  transmitter  no.  2. 

Signal  to  remote  control  used  to  determine  Category 

II  status. 

Signal  to  remote  control  used  to  determine  Category 

III  status. 
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Taule  B-l,  Definition  of  Signal  Names  (Glideslope  Control 
Unit,  Figure  B-2)  (Continued) 


Name 

Definition 

CONTROL: 

-S  Cycle  command  (MAIN,  STBY,  or  OFF). 

CLir 

Category  III  DDM  clearance  alarm,,  monitor  no.,  1. 

CLI2: 

Category  III  DDM  clearance  alarm,  monitor  no.  2. 

CLU: 

Category  III  DDM  clearance  alarm,  monitor  no.  3. 

CL2I: 

>  Category  III  SDM-  clearance  alarm,  monitor  no.  1. 

CL22! 

Category  III  SDM  clearance  alarm,  monitor  no,  2. 

CL23! 

Category  III  SDM  clearance  alarm,  monitor  no.  3. 

CL3l’ 

Category  III  RF  clearance  alarm,  monitor  no.  1. 

CL  : 

32 

Category  III  RF  clearance  alarm,  monitor  no.  2. 

CL  : 

33 

Category  III  RF  clearance  alarm,  monitor  no.  3. 

CSEir 

Category  III  DDM  course  alarm,  monitor  no.  1. 

cSE12: 

> 

Category  III  DDM  course  alarm,  monitor  no.  2, 

CSE13: 

Category  III  DDM  course  alarm,  monitor  no,  3. 

CSE21: 

Category  III  SDM  course  alarm,  monitor  no,  1. 

CSE22: 

Category  III  SDM  course  alarm,  monitor  no.  2. 

CSE23: 

Category  III  SDM  course  alarm,  monitor  no.  3. 

CSE31: 

Category  III  RF  course  alarm,  monitor  no.  1. 

CSE32: 

Category  III  RF  course  alarm,  monitor  no.  2. 

CSE33: 

Category  III  RF  course  alarm,  monitor  no.  3. 

CSE  111: 

Category  III  DDM  course  alarm,  monitor  no.  1. 

CSE  112: 

Category  III  DDM  course  alarm,  monitor  no.  2. 

CSE  113: 

Category  III  DDM  course  alarm,  monitor  no.  3. 

B-3 


Table  B-l.  Definition  of  Signal  Names  (Glideoiope  Control 
Unit,  Figure  B-2)  (Continued) 


Name 

Definition 

!c: 

Inhibit  signal  to  inhibit  transmitter  cycling  capabil¬ 
ity- 

rMAIN: 

Main  inhibit  to  main  monitor  channels. 

rON: 

inhibit  signal  due  to  power  turn-on. 

V 

Inhibit  signal  due  to  transfer  commands  either  auto 
or  manual. 

V 

Inhibit  signal  due  to  shutdown  commands,  either 
auto  or  manual. 

^TBY5 

Standby  inhibit  to  standby  monitor  channels. 

lab: 

Abnormal  status  lamp  signal. 

lac! 

AC  power  alarm  status  lamp  signal. 

lbat: 

Battery- alarm  status  lamp  signal. 

lbc: 

Battery  charger  alarm  status  lamp  signal. 

Lc: 

DC /DC  converter  alarm  status  lamp  signal. 

lmd  a: 

Misalignment  detector  alarm  lamp. 

lmd  by: 

Misalignment  detector  bypass  lamp. 

MLB5 

Misalignment  detector  bypass  lamp. 

lmm! 

Monitor  mismatch  status  lamp  signal. 

ln: 

Normai  status  lamp  signal. 

Ls: 

Shutdown  status  lamp  signal. 

ltemp: 

Temperature  alarm  status  lamp  signal. 

Lxr 

Transmitter  no.  1  connected  to  antenna  status 
lamp  signal. 

LX2: 

Transmitter  no.  2  connected  to  antenna  status 
lamp  signal. 
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Table  B-l,  Definition; of  Signal  Names  (Glideslope  Control 
Unit,  Figure  B-2)  (Continued) 


Name 

Definition 

LOC: 

Local  control  of  transmitting  unit. 

LT: 

Transfer  signal  memorized. 

macl: 

Clearance  monitor  alarm. 

MACSEn: 

Course  monitor  alarm,  Category  11  alarm  limits. 

macse  : 

Course  monitor  alarm,  Category  111  alarm  limits. 

^111 

MANF(D): 

Near  field  monitor  alarm  which  is  delayed. 

MAs: 

Shutdown  command  from  monitor  alarms. 

masen: 

Sensitivity  monitor  alarm. 

MAt: 

Transfer  command  from  monitor  alarms. 

MAIN: 

Main  transmitter  "on"  status  signal. 

MAINRC! 

.  Signal  to  remote  control  used  to  determine  MAIN 
status. 

MR  : 

A 

Misalignment  detector  alarm  without  inhibit. 

mdeyl: 

Misalignment  detector  bypassed  locally. 

'MLB: 

Monitors  .ocally  bypassed. 

MMcl: 

Clearance  monitor  mismatch. 

mmcl/nf: 

Clearance  or  near  field  monitor  mismatch. 

mmcse  : 

LSLin 

Course  monito"  mismatch,  Category  III  alarm 
limits. 

MMNF(D): 

Near  field  monitor  mismatch  which  is  delayed. 

MMoEN: 

Sensitivity  monitor  mismatch,  Category  J1I  alaim 
limits. 

NF  1: 

Category  III  DDM  near  field  alarm,  monitor  no.  1 

NF  2: 

Category  III  DDM  near  field  alarm,  monitor  no.  2 

NF  3: 
OFF: 

offrg: 

ON /OFF: 

REM: 

RESET: 

SCL: 

SCSE: 


M* 

SSEN: 


so: 
Sl! 
S2  = 


12’ 

S12: 

SEN 


SEN 


ir 


12' 


SENia: 

STDY : 

stbyrc: 

TEMP: 


Category  III  DDM  near  field  alarm,  monitor  no.  3. 

Both  transmitters  ''off"  status  signal. 

Signal  to  remote  control  used  to  determine  OFF 
status. 

Front  panel  control  unit  power  supply  control. 

Remote  control  of  transmitting  unit. 

Signal  to  reset  alarm  memory  latches. 

Standby  clearance  monitor  alarm  -  DDM,  SDM,  or 
RF  with  Category  III  limits. 

Standby  course  monitor  alarm  -  DDM,  SDM,  or 
RF  with  Category  III  limits. 

Shutdown  signal  memorized. 

Standby  sensitivity  monitor  alarm  -  DDM  with  Cat¬ 
egory  III  limits. 

Both  transmitter  are  selected  to  be  off. 

Transmitter  no.  1  is  selected  as  main. 

Transmitter  no.  2  is  selected  as  main. 

Selection  of  transmitter  no.  1  memorized. 

Selection  of  transmitter  no.  2  memorized. 

Category  111  DDM  sensitivity  alarm,  monitor  no.  1. 
Category  111  DDM  sensitivity  alarm,  monitor  no.  2. 
Category  111  DDM  sensitivity  alarm,  monitor  no.  3. 

Standby  transmitter  "on"  status  signal. 

Signal  to  remote  control  used  to  determine  STAND¬ 
BY  status. 

Temperature  alarm  inside  main  cabinet. 
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Figure  B-l.  Glide  slope  Station 
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Figure  B-2.  Giidesiope  Control  Unit 
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UHF  Transmitter  (Course  and  Clearance)  and  10-Watt  Amplifier 
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(8) 10S727 


DIAGRAM 


Figure  B-6.  UHF  Distribution  Circuits 


Figure  B-9.  Battery  Charger 
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Appendix  C 

'Localizer  Failure  Analysis 


This  appendix,  referred  to  in  section  7,  0,  consists  fo  the  failure 
analysis  for  the  localizer,  as  shown  in  table  C-l, 
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Table  C-l.  .Localizer  Failure  Analysis  (Coat'd) 


Table  C-l.  Localizer  Failure  Analysis  (Cont’d) 
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Table  C-l.  Localizer  Failure  Analysis  (Cont'd) 


injc  course  position, 


•.*  \ 


V 

Xi 

a 

o 

U 


w 

to 


4) 

M 

a 


•H 


to 


4> 

M 

*H 

n 


u 

o 


A 


O 


4) 

*•4 

-C 

rt 


H 


=1 


fi 


• 

JK 

k 

2 

* 

(X. 

'll 

5-* 

! 

3a  . 

*«■* 

3  •  2 

ill  , 

•  g  h  § •*  0  ,  J 

|  5  - -s -g ■=  1 1  tfld- 

g**||  a  i  •  1  -s  s. 

■2  2*5 3*3^?  i 
SjIsS'StaS:  s 

A  &*  * :  5  g 

s  a?3  §•  2  !  6  j  a  |  ^ 

S-£  iS2  «  «  i  l 

ii 

!! 

;!  ' 
li 

S  w 

si 

H 

ii 

1  t 

\u 

1 5| 

111 

i/  <T 

5  j2 

:  J 

2  « 

OX 

«o 

T  2 

»o  X  ,  * 

0 

J* 

"  .2 

O  X 

o  < 

o  x* 

« 

,,C 

-3 

w 

*5 

c 

k 

k 

£ 

4 

*> 

5 

.  **.  *J  2  u  *• 

•?  *8*8 

S:\Sfc;  s? 

,3  x.  -  k  5  u  a  , 
0-3  ‘  0  Jf  fl  >  »• 

:  «:  o  as  o  S  k 

*0 

k  *J 

c  c 
c  5 
U 

-  S2^3 

g^*g 

2  «  :  U  4  2  W 

V 

u 

z 

1 

as 

,  w . 
z  z  H  j 

3^8m3 

4  S  >  Ik 

=  i. 

2  2 

?|fi 

1! 
4  0 

a  u 

\ 

s  «  -  z 

rill? 

M 

Z 

| 

2  5;  § 

n.liP 

. 

«5r  § 

m?P 

c 

c 

m 

k 

1 

E 

k 

• 

>> 

«/> 

_  .8 

— 

k 

3  S 

l  5 

JlJlslf 

iilisi! 

hs^i* 

& X2=2=g 

i  c 
<  z 

m 

U 

X 

X 

K 

X 

u 

« 

li 

k 

0 

£ 

«  ;  n 

5iS.|  -5 

Hi**-! 

3  S  slf  M 

1  S  *  E  Ej?" 

£  t  s  “  «  ,i 

i^isixo 

Z  o  5  •  •  CS  5 

5  i-5  g5  Jril 
-  3  *  ffij  3^2 
*2  u  323  !! 

3  u  J  m  a  y  •  k  2 
li  Vyi  -  #  ^  J|  {• 

5^.2  =  .2?;5 

3i§  2  ci-n 

^  (TC  U  4  cr*  S  " 
^vokwk^^-o 

1 

1  «  •  k 

•  g  a  .sco 

‘5S*>«h,*oc  • 

3  s  u  :  g  5-“-3/j 

Il|3s3«3g 

1  it ?-s » 
g‘3i**°»‘2S© 

5  S  g  S3  S Si  2 

1 

“  c  5  C 

«  o  5  o 

4  S  k  S 
rt  k  C  4 

o  k  0  0 

2  m 

E  *3  5  k 

5  3  4  k 
~  g'K  9 

S  O  C  1 

V)  C  0  s 

k 

k  *> 

P 

>»  4* 

o  ®  -  i  i  p  “ 

t; § «:? §.s 
lasiils  al t 

i  i  •*  *»  'i  a  «  *• 

l  o  u  •  i*>  j:  y  o  ~* 

5  •  5  o  «  «  2w.i:5s3 

w  V  ,  ^  b  •>*  3  -S  k  -.  J  0  Jj  2  *J 

•stsll  3  .5  a-  &s 

Q  0-3  3  a  5  fr.o  o  o  j:  ?5  5 

Jv>a«3n2v>c>3  —  w3\ 

>.  o  ?  !>’ 

0  _  -c  if* 

"  *  I  i  1 

:  ;f2*i 

3  g|  ?r? 

et  „  e 

•  •S  |£ 
a  g  a  *• 

=  1-5 
fi  EL  5.1 

C 

5 

V 

c 

£ 

i 

>»  3 

S*  i. 

3  2  l  « 
tJs” 

<$  =  5 

o  •  ! ; 

a  S  1  s 

>  *  s.c  1 

v  *•  »■*  ,  . 

2  5  scs 

*  J-S  >.* 

£  isag 

C  k  -  k  >  0  o  2  v 

8*£S3j2*:;£ 

8  2  -  ?  "  H  S  ?  S  -5 
“  «  S  Z  *  .  5  X  -  m 

f  «  p  i  VO  0  Is  o 

R  S  Si  !*'C  ,  "  «S 
5SS2|?|S1| . 

Zile 

«  CoS  *7  CO  ..  t  Vi  • 
^k«03«2k«Q>* 

W  >  ♦  >  o  «  a  >  o  2  • 

"  *  S  .  ^  i 

o  2  —  #  S  «  k 

-  *»  t  K  2  -•*  E 
•  *3  *  „  x  u  .2 
£.S  g  In  >.s 
2^2  . 

! 5311 2 2 

1 .1  n « « ■s 

„  >  c  k  •  4  - 

x  2  i!  Si  S  *  o 

H  a  J  v  a«‘" 

c 

fS 

4 

O 

c 

k 

■o 

c  c 

(A  k  O 
—  0  -• 

s.  k  CO 

O' 

.IS 
-  2 

3 

k  * 

0  £ 

2  Hmn  S 

llui 

u 

k  k 

2 

1  s 

C-22 


j» 


< 


Appendix  D 

Glideslope  Failure  Analysis 


Appendix  O 

Glideslope  Failure  Analysis 


This  appendix,  referred  to  in  section  7,0,  consists  of  the  failure 
analysis  for  the  glideslope,  as  shown  in  table  0-1, 
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Table  D- 1.  Glideslope  Failure  Analysis  (Cont'd) 


Table  D-l.  Giideslope  Failure  Analysis  (Cont'd) 
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Table  D-l.  Glideslope  Failure  Analysis  (Cont'd) 
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Appendix  E 

Localizer  Math  Models 


This  appendix  consists  of  tables  E-l  and  E-2,  referred  to  in  section 
8.0,  which  give,  respectively,  probability  math  models  for  localizer 
hazardous  signal  radiation  and  shutdown. 


Table  E-l.  Localizer  Hazardous  Signal  Radiation  Probabilities  (Cont'd 
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Table  E-2.  Localizer  Shutdown  Probabilities  (Contld) 
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Table  E-2.  Localizer  Shutdown  Probabilities  (Cont'd) 


Table  E-2.  .Localizer  Shutdown  Probabilities  (Cont'd) 
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Table  E-2.  Localizer  Shutdown  Probabilities  (Cont'd) 


Table  £-2.  Localizer  Shutdown  Probabilities  (Cont'd) 


Table  E-2.  Localizer  Shutdown  Probabilities  (Cont'd) 
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Table  E-2.  Localize r  Shutdown  Probabilities  (Cont’d) 
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Giideslope  Math  Model's 

This  appendix  consists  of.  tables  F-l  and  F-2,  referred  to  in  section 
8.  0,  which  give  respectively,  probability  math  models  for  giideslope 
hazardous  signal  radiation  and  shutdown.. 


Table  F-l.  Glideslope  Hazardous  Signal  Radiation  Probabilities  (Cont'd) 


The  probability  of  *  hidden  failure  of 
the  course  Cat;  Hi  SDM  integral 


Table  F-l.  Giideslope  Hazardous  Signal  Radiation  Probabilities  (Cont'd) 
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Table  F-l.  Glideslope  Hazardous  Signal  Radiation  Probabilities  (Cont'd) 


Table  F- 1.  Glideslope  Hazardous  Signal  Radiation  Probabilities  (Confc-'d) 
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Table  E'-2.  Glideslope  Shutdown  Probabilities  (Cont'd) 


Table  F-2.  Glides  lope  Shutdown  Probabilities  (Cont'd) 


Table  F-Z.  Glideslope  Shutdown  Probabilities  (Cont'd) 
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Appendix  G 

Localizer  Preventive  Maintenance  Checks 

This  appendix  consisting  of  table  G-l,  details -the  preventive 
maintenance  checks  necessary  to  detect  hidden  failures  in 
the  localizer. 


Table  G-l.  Totalizer  Preventive  Maintenance  Checks  {Cont'd) 


Appendix  H 

Giidesiope  Preventive  Maintenance  Checks 


Standby  j  47  Same  as  above*  j  (1)  Flip  switch  on  monitor  to  check  2  weeks  0.2  min. 

Sensitivity  j  1  DDM  alarm.**  ' 
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